Skip to content

Commit

Permalink
Address comments base on reviews
Browse files Browse the repository at this point in the history
Improve early data indication check
Update test case to gnutls server

Signed-off-by: Xiaokang Qian <[email protected]>
  • Loading branch information
xkqian committed Nov 8, 2022
1 parent 8922a2e commit d2bf636
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 31 deletions.
23 changes: 16 additions & 7 deletions include/mbedtls/ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -802,11 +802,23 @@ typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
#endif

#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0
#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1
#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2
#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 3
#define MBEDTLS_SSL_EARLY_DATA_STATUS_UNKNOWN 0
#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 1
#define MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT 2
#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 3
#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 4
#endif

#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)

typedef enum
{
MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA = 1,
MBEDTLS_SSL_TICKET_ALLOW_DHE_RESUMPTION = 2,
MBEDTLS_SSL_TICKET_ALLOW_PSK_RESUMPTION = 4,
} mbedtls_ssl_ticket_flags;

#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
/**
* \brief Callback type: server-side session cache getter
*
Expand Down Expand Up @@ -1790,9 +1802,6 @@ struct mbedtls_ssl_context
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */

#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C)
/*
* early data request status
*/
int MBEDTLS_PRIVATE(early_data_status);
#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */

Expand Down
5 changes: 5 additions & 0 deletions library/ssl_debug_helpers.h
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@

const char *mbedtls_ssl_states_str( mbedtls_ssl_states in );

#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
const char *mbedtls_ssl_ticket_flags_str( mbedtls_ssl_ticket_flags in );
#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) &&
defined(MBEDTLS_SSL_SESSION_TICKETS) */

const char *mbedtls_ssl_protocol_version_str( mbedtls_ssl_protocol_version in );

const char *mbedtls_tls_prf_types_str( mbedtls_tls_prf_types in );
Expand Down
7 changes: 0 additions & 7 deletions library/ssl_misc.h
Original file line number Diff line number Diff line change
Expand Up @@ -879,13 +879,6 @@ struct mbedtls_ssl_handshake_params
} tls13_master_secrets;

mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;

#if defined(MBEDTLS_SSL_EARLY_DATA)
int early_data; /*!< Early data indication:
* 0 -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and
* 1 -- MBEDTLS_SSL_EARLY_DATA_ENABLED (for use early data)
*/
#endif /* MBEDTLS_SSL_EARLY_DATA */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
Expand Down
18 changes: 8 additions & 10 deletions library/ssl_tls13_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -697,8 +697,8 @@ static int ssl_tls13_early_data_has_valid_ticket( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_session *session = ssl->session_negotiate;
return( ssl->handshake->resume &&
session != NULL && session->ticket != NULL &&
session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
( session->ticket_flags & MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA ) &&
mbedtls_ssl_tls13_cipher_suite_is_offered(
ssl, session->ciphersuite ) );
}
Expand Down Expand Up @@ -1167,27 +1167,22 @@ int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,

#if defined(MBEDTLS_SSL_EARLY_DATA)
if( mbedtls_ssl_conf_tls13_some_psk_enabled( ssl ) &&
( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 1
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|| ssl_tls13_early_data_has_valid_ticket( ssl )
#endif
) &&
ssl_tls13_early_data_has_valid_ticket( ssl ) &&
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED )
{
ret = mbedtls_ssl_tls13_write_early_data_ext( ssl, p, end, &ext_len );
if( ret != 0 )
return( ret );
p += ext_len;

ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_ON;
/* Initializes the status to `rejected`. Changes it to `accepted`
/* Initializes the status to `indication sent`. Changes it to `accepted`
* when `early_data` is received in EncryptedExtesion. */
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED;
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_INDICATION_SENT;
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write early_data extension" ) );
ssl->handshake->early_data = MBEDTLS_SSL_EARLY_DATA_OFF;
ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT;
}
#endif /* MBEDTLS_SSL_EARLY_DATA */

Expand Down Expand Up @@ -2526,6 +2521,9 @@ static int ssl_tls13_parse_new_session_ticket_exts( mbedtls_ssl_context *ssl,
{
case MBEDTLS_TLS_EXT_EARLY_DATA:
MBEDTLS_SSL_DEBUG_MSG( 4, ( "early_data extension received" ) );
if( extension_data_len == 4 && ssl->session != NULL)
ssl->session->ticket_flags |=
MBEDTLS_SSL_TICKET_ALLOW_EARLY_DATA;
break;

default:
Expand Down
14 changes: 7 additions & 7 deletions tests/ssl-opt.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13032,15 +13032,15 @@ run_test "TLS 1.3: NewSessionTicket: servername negative check, m->m" \
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"

requires_openssl_next
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled MBEDTLS_SSL_EARLY_DATA
run_test "TLS 1.3, ext PSK, early data" \
"$O_NEXT_SRV_EARLY_DATA -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex -nocert" \
"$P_CLI debug_level=5 force_version=tls13 tls13_kex_modes=psk early_data=1 psk=010203 psk_identity=0a0b0c" \
requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
run_test "TLS 1.3: NewSessionTicket: early data, m->G" \
"$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+PSK --earlydata --disable-client-cert" \
"$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \
1 \
-c "=> write client hello" \
-c "client hello, adding early_data extension" \
Expand Down

0 comments on commit d2bf636

Please sign in to comment.